The RondoDox botnet malware has been observed exploiting a critical vulnerability in XWiki instances identified as CVE-2025-24893, an eval injection flaw with a CVSS score of 9.8. This vulnerability allows unauthenticated guest users to perform arbitrary remote code execution by sending crafted requests to the /bin/get/Main/SolrSearch endpoint. The flaw was patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025. Despite the availability of patches, exploitation attempts have increased sharply since late 2025, with a notable spike in early November. Multiple threat actors, including RondoDox, have weaponized this vulnerability to deploy cryptocurrency miners, establish reverse shells, and conscript devices into a botnet used for distributed denial-of-service (DDoS) attacks leveraging HTTP, UDP, and TCP protocols. The attack chain is two-staged, initially compromising the server and then deploying secondary payloads. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the severity by adding it to their Known Exploited Vulnerabilities catalog, requiring remediation by November 20, 2025. The widespread scanning activity and rapid adoption by various malicious actors underscore the critical need for timely patching and proactive defense measures. The vulnerability's ease of exploitation, lack of authentication requirements, and potential for full system compromise make it a high-risk threat for organizations using XWiki, especially those with internet-facing instances.

European organizations running unpatched XWiki servers are at high risk of compromise, leading to unauthorized remote code execution, data breaches, and potential lateral movement within networks. The infection of systems by RondoDox can result in devices being conscripted into a botnet used for large-scale DDoS attacks, which can disrupt critical services and damage organizational reputation. The deployment of cryptocurrency miners can degrade system performance and increase operational costs. Additionally, reverse shells established by attackers can facilitate persistent access, espionage, or further malware deployment. Given XWiki's use in knowledge management and collaboration, compromised servers may expose sensitive corporate or personal data, violating GDPR and other data protection regulations. The operational disruption and potential regulatory penalties could have significant financial and reputational consequences for European entities. The surge in exploitation attempts also increases the likelihood of collateral damage to interconnected systems and supply chains.

Organizations should immediately verify their XWiki versions and apply the official patches released in February 2025 (versions 15.10.11, 16.4.1, 16.5.0RC1 or later). If patching is not immediately feasible, implement network-level controls to restrict access to the /bin/get/Main/SolrSearch endpoint, such as web application firewalls (WAFs) with custom rules blocking suspicious payloads. Conduct thorough network and endpoint monitoring for indicators of compromise, including unusual outbound traffic patterns consistent with botnet activity or cryptocurrency mining. Employ intrusion detection systems (IDS) tuned to detect exploitation attempts targeting CVE-2025-24893. Regularly audit and harden XWiki configurations, disable guest access if not required, and enforce strict access controls. Incident response plans should be updated to include procedures for detecting and mitigating RondoDox infections. Finally, organizations should engage in threat intelligence sharing to stay informed about emerging exploitation trends and indicators.